Web3 security opportunities and lessons we need to learn from Web2

Even though much of the initial hype around the crypto-economy was based on its use of blockchain technology, more and more people over the past couple of years (especially after the decentralized finance boom of 2020) have started to realize that the ongoing Web3 revolution is much broader than its underlying technology.

In other words, Web3 represents an entirely new paradigm for the World Wide Web (Web2) – a paradigm that is rooted not only in the ethics of decentralization and shared data ownership, but also in transparency.

However, like any other technology, Web3 also has its share of problems. As this industry has grown over the past few years, the entry of bad actors and hackers has also increased. Since these individuals are financially incentivized to carry out their nefarious schemes, it is possible for them to illegally acquire millions of dollars through a single exploit, which is completely unheard of in the world of traditional Web2 systems.

To elaborate, even though there are several well-established security/privacy systems in the Web3 market today (such as OpenZeppelin’s secure contract library, Immunefi’s bug bounty, scam token of Peckshield and phishing site protection), it continues to face an increasing number of hacks, seemingly on a monthly basis. For example, earlier in October, Binance’s BSC Token Hub bridge was drained of over $500 million after hackers were able to tamper with artificial withdrawal proofs. Similarly, Axie Infinity’s Ronin Bridge was hacked earlier this year for $650 million.

How can Web3 become more secure?

Right off the bat, it’s worth mentioning that no magic solution can make Web2 and Web3 systems completely airtight. However, we can use a comprehensive layered security approach to minimize risk, including monitoring and incident response.

In this regard, decentralized real-time threat detection networks capable of enhancing the security of Web3 platforms – while providing monitoring of blockchain activity – can be very useful. Additionally, it can be useful to incorporate features such as community incentivization, as they allow participants of these platforms to shape the future of the network and take ownership of the value they generate.

That said, analyzing the similarities and differences between Web2 and Web3 can reveal great opportunities for strengthening and innovating in Web3 security. So, without further ado, let’s get straight to the heart of the matter.

A look at the similarities between Web3 and Web2

Many have argued that blockchain transactions exhibit a high degree of atomicity; However, when it comes to Web2 systems, hackers have to go through a whole series of complicated steps to facilitate their illegal actions. Essentially, atomicity refers to the idea that a single transaction contains many different actions, all of which must be correct in order to be accepted. In other words, if any individual part of the transaction is incorrect or conflicting, the entire transaction will fail.

That said, when it comes to Web3 platforms, attackers still need to take several action steps, including financing, preparing, exploiting, and finally laundering the illegally acquired funds. But each of these steps allows security vendors to monitor, prevent, and mitigate potential attacks.

Another key similarity between Web2 and Web3 is the element of social engineering attacks. Since the digital infrastructure underlying Web3 still lags behind its centralized counterpart, better solutions are needed to make social engineering attacks more difficult within Web3.

Awards

When discussing Web2 technologies, the issue of “attacker/defender imbalance” is always important, as an attacker only needs to be right once, while security defenders need to be right every time. time. However, with the distributed configuration of Web3 systems, the roles are reversed: while an attacker only needs to be right once, only one of thousands of defenders needs to be right at least once.

In addition, the data contained in blockchains is available to all participants in the network, unlike the operation of Web2 systems since only selected information is made public, especially from a security point of view. Thanks to the distributed nature of Web3, the potential for stimulating innovation by the entire security research community (through the use of various approaches) is much greater.

Another obvious difference is that when dealing with Web3 it is easier to assess losses because all of an attacker’s transactions are available on a public ledger. As a result, it is possible to design superior risk quantification models capable of providing robust cyber insurance and protocol risk mitigation strategies.

Finally, attacks in the Web3 domain have a kind of finality, thanks to the immutable nature of the blockchain. However, when it comes to Web2, things are much grayer because stolen details (such as personal credentials) can lead to continuous uncontrolled loss. Thus, in Web3, this will likely lead to new mitigation strategies and result in the adoption of cyber insurance in the short to medium term.

What future for the Web3 ecosystem?

As is probably obvious by now, the Web3 technology paradigm is poised to completely revolutionize the way people around the world operate on a day-to-day basis; however, at the same time, it also faces several challenges. That being said, in recent years an increasing number of skilled developers have entered this rapidly evolving niche, helping to innovate and solve many of the pressing security challenges facing Web3 users today.

Christian Seifert is a Forta Community Security Researcher who previously spent 14 years working in web security at Microsoft.